DNS RPZ Protection From DoH
Ondřej Surý
ondrej at isc.org
Wed Oct 2 11:36:17 UTC 2019
Hi Blason,
depends on what you mean by “DoH”
You can disable the Mozilla automatic bootstrap with RPZ: https://kb.isc.org/docs/using-response-policy-zones-to-disable-mozilla-doh-by-default
That’s the most lightweight option.
The most heavyweight would be a transparent MITM HTTPS proxy/firewall.
Somewhere in between is firewall blocking the well known IP addresses (the post from Daniel), but that mostly blocks the “good guys”.
Ondřej
--
Ondřej Surý — ISC
> On 2 Oct 2019, at 13:24, Blason R <blason16 at gmail.com> wrote:
>
>
> Hi Folks,
>
> Wondering if anyone has any clue or defining policies for blocking DoH [DND Over HTTPS] traffic using bind RPZ feature?
>
> Does anyone have any use case about it?
>
> Thanks and Regards,
> Blason R
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20191002/f02fd6ef/attachment.html>
More information about the bind-users
mailing list